From 5b0dda6e75b6db1c75622a913a1c84bf4971f67c Mon Sep 17 00:00:00 2001
From: George Liu <eva2000@centminmod.com>
Date: Wed, 14 Feb 2018 08:40:35 +1000
Subject: [PATCH] update OpenSSL 1.1.1 TLS 1.3 support for pre-release versions

Previously Centmin Mod supported OpenSSL 1.1.1-dev version pulled from github master branch but need to rework routines so to support tarball based OpenSSL 1.1.1 pre-release alphas and eventually OpenSSL 1.1.1 tarball versions https://community.centminmod.com/threads/openssl-1-1-1-first-alpha-pre-release-1-out.13996/#post-59524
---
 addons/acmetool.sh      |  5 +++--
 inc/nginx_configure.inc | 29 +++++++++++++++++++++++++++--
 inc/nginx_install.inc   |  5 +++--
 inc/nginx_patch.inc     |  4 ++--
 inc/nginx_upgrade.inc   |  5 +++--
 inc/openssl_install.inc | 22 ++++++++++++++--------
 tools/nv.sh             |  5 +++--
 7 files changed, 55 insertions(+), 20 deletions(-)

diff --git a/addons/acmetool.sh b/addons/acmetool.sh
index 8f26dada3..6dfe0c1ef 100755
--- a/addons/acmetool.sh
+++ b/addons/acmetool.sh
@@ -614,8 +614,9 @@ sslopts_check() {
     CHACHACIPHERS=""
   fi
 
-  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
-  if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+  DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
+  if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
       # openssl 1.1.0 unsupported flag enable-tlsext
       if [[ "$(grep -w 'tls1_3' "${DIR_TMP}/openssl-${OPENSSL_VERSION}/Configure")" ]]; then
           TLSONETHREEOPT=' enable-tls1_3'
diff --git a/inc/nginx_configure.inc b/inc/nginx_configure.inc
index c56577cc0..a13833cbf 100644
--- a/inc/nginx_configure.inc
+++ b/inc/nginx_configure.inc
@@ -145,8 +145,9 @@ if [ -f "${CM_INSTALLDIR}/inc/z_custom.inc" ]; then
 fi
 
 	# adjustments for OpenSSL 1.1.0
-  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
-  if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+  DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
+  if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
   	echo "detected $OPENSSL_VERSION"
   	WITHOPENSSL_OPT=""
   	WITHOPENSSL_OPTECHO=""
@@ -610,6 +611,12 @@ if [[ "$CENTOS_SEVEN" = '7' || "$CENTOS_SIX" = '6' ]]; then
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
         else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
+        fi
+      elif [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' && "$ORESTY_LUANGINX" != [yY] ]]; then
+        if [[ "$(uname -m)" = 'x86_64' ]]; then
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
+        else
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
         fi
 			else
         if [[ "$(uname -m)" = 'x86_64' ]]; then
@@ -630,6 +637,12 @@ if [[ "$CENTOS_SEVEN" = '7' || "$CENTOS_SIX" = '6' ]]; then
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
         else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
+        fi
+      elif [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' && "$ORESTY_LUANGINX" != [yY] ]]; then
+        if [[ "$(uname -m)" = 'x86_64' ]]; then
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
+        else
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
         fi
 			else
 				export STATICLIBSSL="${OPENSSL_CUSTOMPATH}"
@@ -1506,6 +1519,12 @@ else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
         else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
+        fi
+      elif [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' && "$ORESTY_LUANGINX" != [yY] ]]; then
+        if [[ "$(uname -m)" = 'x86_64' ]]; then
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
+        else
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
         fi
 			else
         if [[ "$TLSONETHREE_DETECT" = [yY] ]]; then
@@ -1534,6 +1553,12 @@ else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
         else
           OPENSSLOPT=" --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'"
+        fi
+      elif [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' && "$ORESTY_LUANGINX" != [yY] ]]; then
+        if [[ "$(uname -m)" = 'x86_64' ]]; then
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
+        else
+          OPENSSLOPT=" --with-openssl=../$OPENSSLDIR --with-openssl-opt='enable-tls1_3'"
         fi
 			else
 				export STATICLIBSSL="${OPENSSL_CUSTOMPATH}"
diff --git a/inc/nginx_install.inc b/inc/nginx_install.inc
index b010fea21..22dfba6eb 100644
--- a/inc/nginx_install.inc
+++ b/inc/nginx_install.inc
@@ -239,11 +239,12 @@ funct_nginxconfigure
     fi
 
     # detect OpenSSL 1.1.0 for make -jXX support
-    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+    DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
     if [[ "$LIBRESSL_SWITCH" = [yY] ]]; then
         time make${MAKETHREADS}
     else
-        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
             time make${MAKETHREADS}
         else
             time make
diff --git a/inc/nginx_patch.inc b/inc/nginx_patch.inc
index f3ab2cf8f..7b36c1caf 100644
--- a/inc/nginx_patch.inc
+++ b/inc/nginx_patch.inc
@@ -8,7 +8,7 @@ ngx_hpack_patch() {
     NGINX_PUSHBASE=$NGINX_VERSION
     echo "$DETECT_NGXVER"
   fi
-  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
   if [[ "$NGINX_HPACK" = [yY] && "$DETECT_NGXVER" -ge '1013006' ]]; then
     pushd "${DIR_TMP}/nginx-${NGINX_PUSHBASE}"
     cecho "patching nginx http/2 full HPACK encoding support" $boldyellow
@@ -186,7 +186,7 @@ patchnginx() {
   sleep "$NGINXPATCH_DELAY"
 
   # unofficial OpenSSL 1.1.0 beta Nginx patches
-  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
   # detect nginx <=1.11.3 or => 1.11.0 as 1.11.4+ has fix for openssl 1.1 so no patching needed
   # http://hg.nginx.org/nginx/rev/1891b2892b68
   if [ "$ngver" ]; then
diff --git a/inc/nginx_upgrade.inc b/inc/nginx_upgrade.inc
index 5f6271718..f5dfaf031 100644
--- a/inc/nginx_upgrade.inc
+++ b/inc/nginx_upgrade.inc
@@ -727,11 +727,12 @@ fi
     fi
 
     # detect OpenSSL 1.1.0 for make -jXX support
-    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+    DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
     if [[ "$LIBRESSL_SWITCH" = [yY] ]]; then
         time make${MAKETHREADS}
     else
-        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
             time make${MAKETHREADS}
         else
             time make
diff --git a/inc/openssl_install.inc b/inc/openssl_install.inc
index 6f0428178..710345a1e 100644
--- a/inc/openssl_install.inc
+++ b/inc/openssl_install.inc
@@ -125,7 +125,8 @@ if [[ "$(uname -m)" != 'x86_64' ]]; then
     CLOUDFLARE_PATCHSSL='n'
 fi
 
-DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
 
 if [[ "$CLOUDFLARE_PATCHSSL" = [yY] && "$DETECTOPENSSL_ONEZERO" = '1.0' ]]; then
     # if [[ "${OPENSSL_VERSION}" = '1.0.1h' ]]; then
@@ -326,7 +327,8 @@ installopenssl() {
         # so fall back to 1.0.2 branch if lua nginx module is enabled
         OPENSSL_VERSION="$OPENSSL_VERSIONFALLBACK"
     fi
-    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
+    DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+    DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
     if [ ! -f /usr/local/go/bin/go ]; then
         # if golang is not detected BoringSSL switch will be disabled
         # and default to using OpenSSL 1.0.2+
@@ -424,7 +426,7 @@ installopenssl() {
         fi
     
         #-- Build static openssl
-        if [[ "$TLSONETHREE" = [yY] && "$ORESTY_LUANGINX" != [yY] ]]; then
+        if [[ "$TLSONETHREE" = [yY] && "$ORESTY_LUANGINX" != [yY] ]] && [[ "$DETECTOPENSSL_ONEONE" != '1.1.1' ]] ; then
             OPENSSL_CUSTOMPATH='/opt/openssl-tls1.3'
             export STATICLIBSSL="${OPENSSL_CUSTOMPATH}"
             cd "$DIR_TMP"
@@ -451,7 +453,7 @@ installopenssl() {
             else
                 ECNISTP_OPT=""
             fi
-            if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+            if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
                 # openssl 1.1.0 unsupported flag enable-tlsext
                 if [[ "$(grep -w 'tls1_3' Configure)" ]]; then
                     TLSONETHREEOPT=' enable-tls1_3'
@@ -469,12 +471,14 @@ installopenssl() {
                 elif [[ ! "${OPENSSL_THREADS}" ]]; then
                     OPENSSL_THREADSOPT=""
                 fi
-                ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${ECNISTP_OPT}${TLSONETHREEOPT}${OPENSSL_THREADSOPT}
+                echo "./config -Wl,--enable-new-dtags,-rpath=${STATICLIBSSL}/lib --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${ECNISTP_OPT}${TLSONETHREEOPT}${OPENSSL_THREADSOPT}"
+                ./config -Wl,--enable-new-dtags,-rpath=${STATICLIBSSL}/lib --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${ECNISTP_OPT}${TLSONETHREEOPT}${OPENSSL_THREADSOPT}
             else
+                echo "./config --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared enable-tlsext${ECNISTP_OPT}"
                 ./config --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared enable-tlsext${ECNISTP_OPT}
             fi
         else
-            if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+            if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
                 # openssl 1.1.0 unsupported flag enable-tlsext
                 if [[ "$(grep -w 'tls1_3' Configure)" ]]; then
                     TLSONETHREEOPT=' enable-tls1_3'
@@ -483,12 +487,14 @@ installopenssl() {
                     TLSONETHREEOPT=""
                     TLSONETHREE_DETECT='n'
                 fi
-                ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${TLSONETHREEOPT}
+                echo "./config -Wl,--enable-new-dtags,-rpath=${STATICLIBSSL}/lib --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${TLSONETHREEOPT}"
+                ./config -Wl,--enable-new-dtags,-rpath=${STATICLIBSSL}/lib --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared${TLSONETHREEOPT}
             else
+                echo "./config --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared enable-tlsext"
                 ./config --prefix=$STATICLIBSSL --openssldir=$STATICLIBSSL shared enable-tlsext
             fi
         fi
-        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+        if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
             make${MAKETHREADS}
         else
             make depend
diff --git a/tools/nv.sh b/tools/nv.sh
index 58d731a8b..40d69525f 100755
--- a/tools/nv.sh
+++ b/tools/nv.sh
@@ -717,8 +717,9 @@ else
   CHACHACIPHERS=""
 fi
 
-DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1,2)
-if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
+DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
+if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
     # openssl 1.1.0 unsupported flag enable-tlsext
     if [[ "$(grep -w 'tls1_3' "${DIR_TMP}/openssl-${OPENSSL_VERSION}/Configure")" ]]; then
         TLSONETHREEOPT=' enable-tls1_3'